[openswan] Forbid collection of secrets and certdb

When collecting IPSec data, currently nothing prevents the collection of keys or the cert.db files. Ensure we don't collect this information as it is private. Thanks to Robert Bost (@bostrt) for discovering this and Matt Rogers (@mrogers950) for double checking what we should ignore. Resolves: #1463 Signed-off-by: Robb Manes <rmanes@redhat.com> Signed-off-by: Bryn M. Reeves <bmr@redhat.com>
author: Robb Manes <robb.manes@gmail.com> 2018-10-26 18:01:46 -0600
committer: Bryn M. Reeves <bmr@redhat.com> 2019-03-18 20:02:58 +0000
commit: cbedcff40c44713c82c2e676d6dfcc8e502d3566 (patch)
tree: 520a829b3418a00edc60eb8772dbc7c0f5f53e2e
parent: 2cfc2d7726691de523efd8a7dea04affbbab2480 (diff)
download: sos-cbedcff40c44713c82c2e676d6dfcc8e502d3566.tar.gz
1 files changed, 6 insertions, 1 deletions
diff --git a/sos/plugins/openswan.py b/sos/plugins/openswan.py
index 4011aeed..f9241660 100644
--- a/sos/plugins/openswan.py
+++ b/sos/plugins/openswan.py
@@ -36,6 +36,11 @@ class Openswan(Plugin, RedHatPlugin, DebianPlugin, UbuntuPlugin):
         if self.get_option("ipsec-barf"):
             self.add_cmd_output("ipsec barf")
 
-        self.add_forbidden_path("/etc/ipsec.d/key[3-4].db")
+        self.add_forbidden_path([
+            '/etc/ipsec.secrets',
+            '/etc/ipsec.secrets.d/*',
+            '/etc/ipsec.d/*.db',
+            '/etc/ipsec.d/*.secrets'
+        ])
 
 # vim: set et ts=4 sw=4 :
author	Robb Manes <robb.manes@gmail.com>	2018-10-26 18:01:46 -0600
committer	Bryn M. Reeves <bmr@redhat.com>	2019-03-18 20:02:58 +0000
commit	cbedcff40c44713c82c2e676d6dfcc8e502d3566 (patch)
tree	520a829b3418a00edc60eb8772dbc7c0f5f53e2e
parent	2cfc2d7726691de523efd8a7dea04affbbab2480 (diff)
download	sos-cbedcff40c44713c82c2e676d6dfcc8e502d3566.tar.gz